Skip to main content

wf create workspaceaccesstoken

wf create workspaceaccesstoken

Creates a workspace access token to access Wayfinder or workspace clusters in this workspace


Creates workspace-scoped access tokens to permit automated access to managed resources (API, clusters) in a single workspace. Access tokens are exchanged upon usage for ephemeral access tokens with short-lived lifecycles.

Access tokens have no permissions on creation. To grant access, see 'assign':

For cluster access: $ wf assign accessrole --help For access to Wayfinder itself: $ wf assign wayfinderrole --help

The default output from this command is the environment variables containing the token, endpoint and workspace. These are usually copied as secrets into your chosen CI.

Generated tokens are only visible on creation and cannot be retrieved if lost. You can reset a token and get a new one, invalidating any previous ones, using the --reset-token flag to this command.

wf create workspaceaccesstoken <name> [-w <workspace>] [flags]


# Create a workspace-scoped token (for deployments and automation within a single workspace)
$ wf create -w <workspace> workspaceaccesstoken <name>

# Create a token and generate a Wayfinder config, with an optional description:
$ wf create -w <workspace> workspaceaccesstoken <name> --show-config -d "My deployment token"

# Create a token and generate a Wayfinder config suitable for export (no padding, no comments):
$ wf create -w <workspace> workspaceaccesstoken <name> --show-config -o export > token.env

# Regenerate and replace current token for an existing access token (any assigned roles are preserved):
$ wf create -w <workspace> workspaceaccesstoken <name> --reset-token

# Assign permissions in workspace clusters to access tokens via the assign command:
$ wf assign accessrole -w <workspace> --workspace-access-token <name> --role <role name>

# Assign permissions to use Wayfinder to access tokens via the assign wayfinderole command:
$ wf assign wayfinderrole -w <workspace> --workspace-access-token <name> --role <role name>

You can test the above via
WAYFINDER_CONFIG=<path> wf [commands]


  -d, --description string   Optional description of the access token
--dry-run Render the resource to screen rather than implement
-h, --help help for workspaceaccesstoken
--non-interactive Do not prompt for user input
--reset-token Reset the token if the named token already exists (default: error if already exists)
--show-config Write out a Wayfinder configuration file with access token
--show-token Show only the raw token

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within